What is Personal Data Breach?
The definition of “Personal Data Breach” is not clearly defined in the Personal Data Protection Law (KVKK) and the guidelines issued by the Personal Data Protection Authority. The clearest definition on this issue is found in Article 4 of the General Data Protection Regulation (GDPR). The GDPR defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed [1].
The interpretation of Article 12 titled "Obligations concerning data security" under the KVKK forms the basis for the definition of personal data breach. Responsibilities of the data controller in the article as follows:
i. To prevent unlawful processing of personal data,
ii. To prevent unlawful access to personal data,
iii. To ensure the protection of personal data.
The data controller is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security for these purposes. Acts of data controllers against their obligations should be considered as a personal data breach [2].
Legal, Administrative and Criminal Remedies against Data Breach
Within the scope of laws such as KVKK, Turkish Civil Code and Code of Obligations, different protection methods have been determined within the scope of the realization and consequences of the data breach. Accordingly, persons who suffer damage as a result of unlawful processing or use of their personal data may first apply to the data controller. If the data controller does not respond to the request or if the response is inadequate, persons who have suffered damage as a result of unlawful processing or use of personal data may apply to the Personal Data Protection Authority. Following the application or ex officio review, the Authority may examine the complaints made and make decisions to make the necessary corrections to the data controller and/or impose administrative fines. In addition, persons who suffer damages as a result of unlawful processing or use of personal data may file a criminal complaint in accordance with the relevant provisions of the Turkish Penal Code [3].
In addition, the right to compensation for pecuniary and non-pecuniary damage arising from the violation also exist.
Personal Data Breach at Workplace and Employees' Termination Rights
Personal data breaches are a common issue in workplaces. Such breaches may violate the legal rights of employees, and if the employer fails to fulfil its obligations, the employee may be entitled to termination.
Personal data breaches in workplaces may occur when an employer fails to adequately protect employee’s personal data or processes it without consent. In the event of such a breach, the employer violates the legal rights of the employee and the employee may use the right of termination. In this case, due to the employer's failure to fulfil its obligations, the employee may use the right of termination for just cause within the scope of situations that do not comply with the rules of morality and good faith. Considering that the violation of personal data is considered as a violation of the personal rights of the employee or the violation of fundamental rights such as the right to protection of personal data, it would be contrary to the rule of honesty to expect the continuation of this employment relationship for the employee. Also, if it is determined that the existing violation has made the employment relationship unbearable, the employee may also terminate the employment relationship for just cause [4]. Therefore, the extent to which the continuation of the employment relationship is affected in terms of each concrete violation is an issue that needs to be evaluated.
In addition, in case of unlawful processing of personal data, the right to justified termination due to the employer's deception can also be evaluated. Pursuant to Article 24/2(a) of the Labour Law, "If the employer misleads the employee by showing false qualifications or conditions about one of the essential points of this contract or by giving information or saying words that are not in accordance with the truth", the employee's immediate termination right arises. It should be evaluated It should be evaluated separately in the context of concrete legal disputes whether incomplete or false information about the processing of personal data constitutes a factor of deception in this regard [5].
_____________________________________________________________________
[1] General Data Protection Regulation, A.4
[2] Personal Data Protection Law, A.12
[3] Personal Data Protection Law, A.13-14
[4] İlke Gürsel, İşçinin Kişisel Verilerinin Korunması Hakkı, Adalet Publishing, 2016, p. 420.
[5] Merve Ezgi Hisli, İş İlişkisinde Kişisel Verilerin Korunması, Akdeniz Uni. Institute of Social Sciences, Master’s Thesis, p. 86-87.